Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
All Things Open 2022 - State of OSS Security & Support
1. Image by Gerd Altmann from Pixabay
Image by Gerd Altmann from Pixabay
Javier Perez
Chief Evangelist & Sr. Director Product Management, OpenLogic by Perforce
The State of Open Source
Software, Security & Support
2. Nice To Meet You!
Chief Evangelist & Sr. Director Product Management
@jperezp_bos
javierperez.mozello.com
www.linkedin.com/in/javierperez
Javier Perez
3. 2.1M +
1,034 packages per day
504K +
157 packages per day
355K +
87 packages per day
410K +
276 packages per day
328K +
150 packages per day
173K +
15 packages per day
Source: Oct 28, 2022 www.modulecounts.com
5. Has your organization increased the use of open source
software over the last year?
Yes
Yes, significantly
Remain the same
Reduced the use of open source
41%
36%
22%
1.6%
YES
77%
11. Risks of Ignoring End-of-Life
• Unpatched CVEs means an ongoing and compounding risk of exploit
• Incompatibility with newer software
• No-compliance (internal policy or industry compliance)
• Becoming more complex to upgrade or migrate in the future, more support required
• Self Support Cost: Development resources away from their jobs, expertise required
12. Open Source Support Challenges
Keeping up
with updates
& patches
Installation
upgrades &
configuration
Personnel
experience &
proficiency
13. • Constant releases and apply security patches
• End-of-life versions
Vulnerability Vulnerability
Discovered
Vulnerability
Fixed
Vulnerability Vulnerability
Discovered
Vulnerability
Fixed
Vulnerability
V1.0.0 V1.0.1 V1.0.2
Keeping Up With Updates and Patches
Example: OpenSSL releasing 3.0.7 today
14. Increased
Awareness
Open Source Security Today
• Identify Inventory: Software Bill of Materials
(SBOM)
• Security Scans: Vulnerability Detection
• Apply Fixes: Patches
15. • Open source libraries reusability
• Depending on the Programming
Language libraries can have up to
1000’s of dependencies
• A real risk for all software when there
are vulnerabilities in dependencies
Dependencies and Vulnerabilities
* Sources: graphcommons.com
16. Education
Open Source Software Security Mobilization Plan
Risk
Assessment
Top 10K OSS
Digital
Signatures
Move to
Memory Safe
Languages
Incident
Response
Team
Coordinated
Public
Disclosure
Code
Reviews Top
200 OSS
Industry Data
Sharing
SBOM
Everywhere
Enhance
Package
Management
17. ISO/IEC 5230 Open Chain Standard
• Organization Level License Compliance for every OSS artifact
• Documented process
• SBOM verification
• Open source community engagement
License
Risk
18. Open Source and US Government
White House Executive Order on Improving Cybersecurity - Working Groups
H.R. 7667 Medical Device Security Bill – Vulnerability
detection and SBOMs directive
The Federal Trade Commission (FTC) advise companies to patch Log4J –
Legal Action
19. Open Source and US Government
Cybersecurity and Infrastructure Security Agency (CISA) – Binding directive
making vulnerability disclosure mandatory
National Security Strategy - Aligning with Orgs & OSS
US Senate Securing Open Source Software Act – Best practices
assessment framework, OSPO, and hire OSS experts
20. Open Source Maturity in Organizations
Desired
Position
/Efforts
Time
Consumers
Adopting (cost, time, or modernize)
Deploying and complying with licenses
Participants
Limited contributions to open source
Increased use & adoption, business-critical
Contributor
Contributions to open source projects
Investment in open source technologies
Leader
Launching new open projects & initiatives
Establishing Open Source Program Office
21. Maturity in Organizations by the Numbers
Retail has the
highest OSS
Usage at 60%
Manufacturing
with the Lowest
Rate of Experts
30%
Banking,
Insurance,
Financial Services
with most
Innersources 19%
Healthcare and
Pharma with the
Highest Rate of
OSPOs 21%
* Sources: 2022 State of Open Source Report
22. Open Source Jobs Report
Source: The Linux Foundation OSS Jobs Report
93%
Of Employers with
difficulty finding
talent with OSS
Skills
77%
of orgs are
growing their use
of cloud-native
technologies
Most on demand skills: Cloud/Container Technology, Linux, DevOps/GitOps,
Cybersecurity, AI/ML, Web Technologies
81%
of open source
professionals
plan to add
certifications
23. Key Takeaways
§ Open source release life cycles, EOL and LTS are constantly changing
§ Lessons from CentOS and AngularJS EOL
§ OSS communities work on security, the key is to keep up with updates and patches
§ There’s more Open Source Security Awareness and Government participation
24. Has your organization increased the use of open source
software over the last year?
Yes
Yes, significantly
41%
36%
YES
77%
25. Has your organization increased the use of open source
software over the last year?
Yes
Yes, significantly
50%
35%
YES
85%
Latest Results